Skip to content

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/central/customer/help/en-us/index.html?contextId=email-message-authentication

Message Authentication

Message authentication allows you to verify whether an email originates from where it claims to come from. Sophos Email Security uses DMARC, SPF, and DKIM to do this.

Message authentication checks are performed in the order they appear in the UI. If an email fails the first sender authentication, the other authentications are not carried out. See How Message Authentication works.

For more information on the order in which authentications are carried out in different scenarios, see Sequence of Message Authentication.

We recommend you to set each message authentication category to Quarantine.

You can override the message authentication by allowing domains and email addresses in the Inbound allow list.

For each message authentication, you can choose to send messages that fail to End User Quarantine.

DMARC

Domain-based Message Authentication, Reporting, and Conformance (DMARC) is an email authentication policy and reporting protocol. It builds on the DKIM and SPF protocols to detect and prevent email spoofing. You can control what happens to messages that fail DMARC checks.

Select from:

  • Conform to sender policy : What happens to the message depends on what the sender stated in their DMARC policy. This is the default value.
  • Tag subject line: Email Security adds a tag to the message's subject line indicating that it is a spoofed message.
  • Quarantine: Message is quarantined.
  • Reject: Message is rejected.
  • Deliver: Message is delivered to the next stage.

SPF

Sender Policy Framework (SPF) allows you to verify that incoming email comes from an IP address authorized by the sending domain's administrators. Spam and phishing emails often use forged addresses.

Hard failure occurs when the sender's IP address isn't listed as an authorized sender. To ensure that only the authorized IP address can send emails, the sender must add -all in the SPF record. This option is the default SPF check for which you can configure failure action.

You can also configure action for other SPF failure options such as:

  • Soft failure: Occurs when the sender's IP address is probably not authorized. This could be because the domain owner hasn't set a more definitive restriction, that would result in a stronger "fail". To ensure that only the authorized IP address can send emails, but not definitively, the sender must add ~all in the SPF record.
  • Neutral: Occurs when the sender's domain explicitly states that it's not asserting whether the sender's IP address is authorized or not, by specifying ?all in the SPF record. In this case, emails from any sender IP address give a neutral result.
  • Unsupported: Occurs when the sender hasn't configured the SPF record.
  • Temporary failure: Occurs due to a temporary error, usually due to DNS (Domain Name Server), while performing the check. This error may resolve itself without any intervention from the DNS operator.
  • Permanent failure: Occurs when the domain's published records can't be correctly interpreted. This indicates an error that requires the DNS operator's intervention.

Select from:

  • Tag subject line: Email Security adds a tag to the message's subject line indicating that it's a spoofed message. This is the default value.
  • Quarantine: Message is quarantined.
  • Reject: Message is rejected.
  • Deliver: Message is delivered to the next stage.

DKIM

DomainKeys Identified Mail (DKIM) is an authentication framework used to sign and validate a message based on the domain of the sender. You can control what happens to messages that fail DKIM checks.

Hard failure occurs when DKIM is configured, the DKIM signature is in the email, and the DNS responds properly, but the DKIM check didn't pass. This option is the default DKIM check for which you can configure failure action.

You can also configure action for other DKIM failure options such as:

  • Unsupported: Occurs when the sender hasn't configured DKIM or the DKIM key published by the sender in the DNS record isn't valid.
  • Temporary failure: Occurs due to a temporary error, usually due to DNS, while performing the check. This error may resolve itself without any intervention from the DNS operator.
  • Permanent failure: Occurs when the domain's published records can't be correctly interpreted. This indicates an error that requires the DNS operator's intervention.

Select from:

  • Tag subject line: Email Security adds a tag to the message's subject line indicating that it's a spoofed message. This is the default value.
  • Quarantine: Message is quarantined.
  • Reject: Message is rejected.
  • Deliver: Message is delivered to the next stage.